The following is an overview of all available policies in Cinder.
context_is_admin
role:admin
Decides what is required for the ‘is_admin:True’ check to succeed.
admin_or_owner
is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s
Default rule for most non-Admin APIs.
admin_api
is_admin:True or (role:admin and is_admin_project:True)
Default rule for most Admin APIs.
volume:attachment_create
<empty string>
POST /attachments
Create attachment.
volume:attachment_update
rule:admin_or_owner
PUT /attachments/{attachment_id}
Update attachment.
volume:attachment_delete
rule:admin_or_owner
DELETE /attachments/{attachment_id}
Delete attachment.
volume:attachment_complete
rule:admin_or_owner
POST /attachments/{attachment_id}/action (os-complete)
Mark a volume attachment process as completed (in-use)
volume:multiattach_bootable_volume
rule:admin_or_owner
POST /attachments
Allow multiattach of bootable volumes.
message:get_all
rule:admin_or_owner
GET /messages
List messages.
message:get
rule:admin_or_owner
GET /messages/{message_id}
Show message.
message:delete
rule:admin_or_owner
DELETE /messages/{message_id}
Delete message.
clusters:get_all
rule:admin_api
GET /clusters
GET /clusters/detail
List clusters.
clusters:get
rule:admin_api
GET /clusters/{cluster_id}
Show cluster.
clusters:update
rule:admin_api
PUT /clusters/{cluster_id}
Update cluster.
workers:cleanup
rule:admin_api
POST /workers/cleanup
Clean up workers.
volume:get_snapshot_metadata
rule:admin_or_owner
GET /snapshots/{snapshot_id}/metadata
GET /snapshots/{snapshot_id}/metadata/{key}
Show snapshot’s metadata or one specified metadata with a given key.
volume:update_snapshot_metadata
rule:admin_or_owner
PUT /snapshots/{snapshot_id}/metadata
PUT /snapshots/{snapshot_id}/metadata/{key}
Update snapshot’s metadata or one specified metadata with a given key.
volume:delete_snapshot_metadata
rule:admin_or_owner
DELETE /snapshots/{snapshot_id}/metadata/{key}
Delete snapshot’s specified metadata with a given key.
volume:get_all_snapshots
rule:admin_or_owner
GET /snapshots
GET /snapshots/detail
List snapshots.
volume_extension:extended_snapshot_attributes
rule:admin_or_owner
GET /snapshots/{snapshot_id}
GET /snapshots/detail
List or show snapshots with extended attributes.
volume:create_snapshot
rule:admin_or_owner
POST /snapshots
Create snapshot.
volume:get_snapshot
rule:admin_or_owner
GET /snapshots/{snapshot_id}
Show snapshot.
volume:update_snapshot
rule:admin_or_owner
PUT /snapshots/{snapshot_id}
Update snapshot.
volume:delete_snapshot
rule:admin_or_owner
DELETE /snapshots/{snapshot_id}
Delete snapshot.
volume_extension:snapshot_admin_actions:reset_status
rule:admin_api
POST /snapshots/{snapshot_id}/action (os-reset_status)
Reset status of a snapshot.
snapshot_extension:snapshot_actions:update_snapshot_status
<empty string>
POST /snapshots/{snapshot_id}/action (update_snapshot_status)
Update database fields of snapshot.
volume_extension:snapshot_admin_actions:force_delete
rule:admin_api
POST /snapshots/{snapshot_id}/action (os-force_delete)
Force delete a snapshot.
snapshot_extension:list_manageable
rule:admin_api
GET /manageable_snapshots
GET /manageable_snapshots/detail
List (in detail) of snapshots which are available to manage.
snapshot_extension:snapshot_manage
rule:admin_api
POST /manageable_snapshots
Manage an existing snapshot.
snapshot_extension:snapshot_unmanage
rule:admin_api
POST /snapshots/{snapshot_id}/action (os-unmanage)
Stop managing a snapshot.
backup:get_all
rule:admin_or_owner
GET /backups
GET /backups/detail
List backups.
backup:backup_project_attribute
rule:admin_api
GET /backups/{backup_id}
GET /backups/detail
List backups or show backup with project attributes.
backup:create
<empty string>
POST /backups
Create backup.
backup:get
rule:admin_or_owner
GET /backups/{backup_id}
Show backup.
backup:update
rule:admin_or_owner
PUT /backups/{backup_id}
Update backup.
backup:delete
rule:admin_or_owner
DELETE /backups/{backup_id}
Delete backup.
backup:restore
rule:admin_or_owner
POST /backups/{backup_id}/restore
Restore backup.
backup:backup-import
rule:admin_api
POST /backups/{backup_id}/import_record
Import backup.
backup:export-import
rule:admin_api
POST /backups/{backup_id}/export_record
Export backup.
volume_extension:backup_admin_actions:reset_status
rule:admin_api
POST /backups/{backup_id}/action (os-reset_status)
Reset status of a backup.
volume_extension:backup_admin_actions:force_delete
rule:admin_api
POST /backups/{backup_id}/action (os-force_delete)
Force delete a backup.
group:get_all
rule:admin_or_owner
GET /groups
GET /groups/detail
List groups.
group:create
<empty string>
POST /groups
Create group.
group:get
rule:admin_or_owner
GET /groups/{group_id}
Show group.
group:update
rule:admin_or_owner
PUT /groups/{group_id}
Update group.
group:group_project_attribute
rule:admin_api
GET /groups/{group_id}
GET /groups/detail
List groups or show group with project attributes.
group:group_types_manage
rule:admin_api
POST /group_types/
PUT /group_types/{group_type_id}
DELETE /group_types/{group_type_id}
Create, update or delete a group type.
group:access_group_types_specs
rule:admin_api
GET /group_types/{group_type_id}
Show group type with type specs attributes.
group:group_types_specs
rule:admin_api
GET /group_types/{group_type_id}/group_specs/{g_spec_id}
GET /group_types/{group_type_id}/group_specs
POST /group_types/{group_type_id}/group_specs
PUT /group_types/{group_type_id}/group_specs/{g_spec_id}
DELETE /group_types/{group_type_id}/group_specs/{g_spec_id}
Create, show, update and delete group type spec.
group:get_all_group_snapshots
rule:admin_or_owner
GET /group_snapshots
GET /group_snapshots/detail
List group snapshots.
group:create_group_snapshot
<empty string>
POST /group_snapshots
Create group snapshot.
group:get_group_snapshot
rule:admin_or_owner
GET /group_snapshots/{group_snapshot_id}
Show group snapshot.
group:delete_group_snapshot
rule:admin_or_owner
DELETE /group_snapshots/{group_snapshot_id}
Delete group snapshot.
group:update_group_snapshot
rule:admin_or_owner
PUT /group_snapshots/{group_snapshot_id}
Update group snapshot.
group:group_snapshot_project_attribute
rule:admin_api
GET /group_snapshots/{group_snapshot_id}
GET /group_snapshots/detail
List group snapshots or show group snapshot with project attributes.
group:reset_group_snapshot_status
rule:admin_or_owner
POST /group_snapshots/{g_snapshot_id}/action (reset_status)
Reset status of group snapshot.
group:delete
rule:admin_or_owner
POST /groups/{group_id}/action (delete)
Delete group.
group:reset_status
rule:admin_api
POST /groups/{group_id}/action (reset_status)
Reset status of group.
group:enable_replication
rule:admin_or_owner
POST /groups/{group_id}/action (enable_replication)
Enable replication.
group:disable_replication
rule:admin_or_owner
POST /groups/{group_id}/action (disable_replication)
Disable replication.
group:failover_replication
rule:admin_or_owner
POST /groups/{group_id}/action (failover_replication)
Fail over replication.
group:list_replication_targets
rule:admin_or_owner
POST /groups/{group_id}/action (list_replication_targets)
List failover replication.
volume_extension:qos_specs_manage:get_all
rule:admin_api
GET /qos-specs
GET /qos-specs/{qos_id}/associations
List qos specs or list all associations.
volume_extension:qos_specs_manage:get
rule:admin_api
GET /qos-specs/{qos_id}
Show qos specs.
volume_extension:qos_specs_manage:create
rule:admin_api
POST /qos-specs
Create qos specs.
volume_extension:qos_specs_manage:update
rule:admin_api
PUT /qos-specs/{qos_id}
GET /qos-specs/{qos_id}/disassociate_all
GET /qos-specs/{qos_id}/associate
GET /qos-specs/{qos_id}/disassociate
Update qos specs (including updating association).
volume_extension:qos_specs_manage:delete
rule:admin_api
DELETE /qos-specs/{qos_id}
PUT /qos-specs/{qos_id}/delete_keys
delete qos specs or unset one specified qos key.
volume_extension:quota_classes
rule:admin_api
GET /os-quota-class-sets/{project_id}
PUT /os-quota-class-sets/{project_id}
Show or update project quota class.
volume_extension:quotas:show
rule:admin_or_owner
GET /os-quota-sets/{project_id}
GET /os-quota-sets/{project_id}/default
GET /os-quota-sets/{project_id}?usage=True
Show project quota (including usage and default).
volume_extension:quotas:update
rule:admin_api
PUT /os-quota-sets/{project_id}
Update project quota.
volume_extension:quotas:delete
rule:admin_api
DELETE /os-quota-sets/{project_id}
Delete project quota.
volume_extension:quota_classes:validate_setup_for_nested_quota_use
rule:admin_api
GET /os-quota-sets/validate_setup_for_nested_quota_use
Validate setup for nested quota.
volume_extension:capabilities
rule:admin_api
GET /capabilities/{host_name}
Show backend capabilities.
volume_extension:services:index
rule:admin_api
GET /os-services
List all services.
volume_extension:services:update
rule:admin_api
PUT /os-services/{action}
Update service, including failover_host, thaw, freeze, disable, enable, set-log and get-log actions.
volume:freeze_host
rule:admin_api
PUT /os-services/freeze
Freeze a backend host.
volume:thaw_host
rule:admin_api
PUT /os-services/thaw
Thaw a backend host.
volume:failover_host
rule:admin_api
PUT /os-services/failover_host
Failover a backend host.
scheduler_extension:scheduler_stats:get_pools
rule:admin_api
GET /scheduler-stats/get_pools
List all backend pools.
volume_extension:hosts
rule:admin_api
GET /os-hosts
PUT /os-hosts/{host_name}
GET /os-hosts/{host_id}
List, update or show hosts for a project.
limits_extension:used_limits
rule:admin_or_owner
GET /limits
Show limits with used limit attributes.
volume_extension:list_manageable
rule:admin_api
GET /manageable_volumes
GET /manageable_volumes/detail
List (in detail) of volumes which are available to manage.
volume_extension:volume_manage
rule:admin_api
POST /manageable_volumes
Manage existing volumes.
volume_extension:volume_unmanage
rule:admin_api
POST /volumes/{volume_id}/action (os-unmanage)
Stop managing a volume.
volume_extension:types_manage
rule:admin_api
POST /types
PUT /types
DELETE /types
Create, update and delete volume type.
volume_extension:type_get
<empty string>
GET /types/{type_id}
Get one specific volume type.
volume_extension:type_get_all
<empty string>
GET /types/
List volume types.
volume_extension:volume_type_encryption
rule:admin_api
POST /types/{type_id}/encryption
PUT /types/{type_id}/encryption/{encryption_id}
GET /types/{type_id}/encryption
GET /types/{type_id}/encryption/{key}
DELETE /types/{type_id}/encryption/{encryption_id}
Base policy for all volume type encryption type operations. This can be used to set the policies for a volume type’s encryption type create, show, update, and delete actions in one place, or any of those may be set individually using the following policy targets for finer grained control.
volume_extension:volume_type_encryption:create
rule:volume_extension:volume_type_encryption
POST /types/{type_id}/encryption
Create volume type encryption.
volume_extension:volume_type_encryption:get
rule:volume_extension:volume_type_encryption
GET /types/{type_id}/encryption
GET /types/{type_id}/encryption/{key}
Show a volume type’s encryption type, show an encryption specs item.
volume_extension:volume_type_encryption:update
rule:volume_extension:volume_type_encryption
PUT /types/{type_id}/encryption/{encryption_id}
Update volume type encryption.
volume_extension:volume_type_encryption:delete
rule:volume_extension:volume_type_encryption
DELETE /types/{type_id}/encryption/{encryption_id}
Delete volume type encryption.
volume_extension:access_types_extra_specs
rule:admin_api
GET /types/{type_id}
GET /types
List or show volume type with access type extra specs attribute.
volume_extension:access_types_qos_specs_id
rule:admin_api
GET /types/{type_id}
GET /types
List or show volume type with access type qos specs id attribute.
volume_extension:volume_type_access
rule:admin_or_owner
GET /types
GET /types/detail
GET /types/{type_id}
POST /types
Volume type access related APIs.
volume_extension:volume_type_access:addProjectAccess
rule:admin_api
POST /types/{type_id}/action (addProjectAccess)
Add volume type access for project.
volume_extension:volume_type_access:removeProjectAccess
rule:admin_api
POST /types/{type_id}/action (removeProjectAccess)
Remove volume type access for project.
volume:extend
rule:admin_or_owner
POST /volumes/{volume_id}/action (os-extend)
Extend a volume.
volume:extend_attached_volume
rule:admin_or_owner
POST /volumes/{volume_id}/action (os-extend)
Extend a attached volume.
volume:revert_to_snapshot
rule:admin_or_owner
POST /volumes/{volume_id}/action (revert)
Revert a volume to a snapshot.
volume_extension:volume_admin_actions:reset_status
rule:admin_api
POST /volumes/{volume_id}/action (os-reset_status)
Reset status of a volume.
volume:retype
rule:admin_or_owner
POST /volumes/{volume_id}/action (os-retype)
Retype a volume.
volume:update_readonly_flag
rule:admin_or_owner
POST /volumes/{volume_id}/action (os-update_readonly_flag)
Update a volume’s readonly flag.
volume_extension:volume_admin_actions:force_delete
rule:admin_api
POST /volumes/{volume_id}/action (os-force_delete)
Force delete a volume.
volume_extension:volume_actions:upload_public
rule:admin_api
POST /volumes/{volume_id}/action (os-volume_upload_image)
Upload a volume to image with public visibility.
volume_extension:volume_actions:upload_image
rule:admin_or_owner
POST /volumes/{volume_id}/action (os-volume_upload_image)
Upload a volume to image.
volume_extension:volume_admin_actions:force_detach
rule:admin_api
POST /volumes/{volume_id}/action (os-force_detach)
Force detach a volume.
volume_extension:volume_admin_actions:migrate_volume
rule:admin_api
POST /volumes/{volume_id}/action (os-migrate_volume)
migrate a volume to a specified host.
volume_extension:volume_admin_actions:migrate_volume_completion
rule:admin_api
POST /volumes/{volume_id}/action (os-migrate_volume_completion)
Complete a volume migration.
volume_extension:volume_actions:initialize_connection
rule:admin_or_owner
POST /volumes/{volume_id}/action (os-initialize_connection)
Initialize volume attachment.
volume_extension:volume_actions:terminate_connection
rule:admin_or_owner
POST /volumes/{volume_id}/action (os-terminate_connection)
Terminate volume attachment.
volume_extension:volume_actions:roll_detaching
rule:admin_or_owner
POST /volumes/{volume_id}/action (os-roll_detaching)
Roll back volume status to ‘in-use’.
volume_extension:volume_actions:reserve
rule:admin_or_owner
POST /volumes/{volume_id}/action (os-reserve)
Mark volume as reserved.
volume_extension:volume_actions:unreserve
rule:admin_or_owner
POST /volumes/{volume_id}/action (os-unreserve)
Unmark volume as reserved.
volume_extension:volume_actions:begin_detaching
rule:admin_or_owner
POST /volumes/{volume_id}/action (os-begin_detaching)
Begin detach volumes.
volume_extension:volume_actions:attach
rule:admin_or_owner
POST /volumes/{volume_id}/action (os-attach)
Add attachment metadata.
volume_extension:volume_actions:detach
rule:admin_or_owner
POST /volumes/{volume_id}/action (os-detach)
Clear attachment metadata.
volume:get_all_transfers
rule:admin_or_owner
GET /os-volume-transfer
GET /os-volume-transfer/detail
GET /volume_transfers
GET /volume-transfers/detail
List volume transfer.
volume:create_transfer
rule:admin_or_owner
POST /os-volume-transfer
POST /volume_transfers
Create a volume transfer.
volume:get_transfer
rule:admin_or_owner
GET /os-volume-transfer/{transfer_id}
GET /volume-transfers/{transfer_id}
Show one specified volume transfer.
volume:accept_transfer
<empty string>
POST /os-volume-transfer/{transfer_id}/accept
POST /volume-transfers/{transfer_id}/accept
Accept a volume transfer.
volume:delete_transfer
rule:admin_or_owner
DELETE /os-volume-transfer/{transfer_id}
DELETE /volume-transfers/{transfer_id}
Delete volume transfer.
volume:get_volume_metadata
rule:admin_or_owner
GET /volumes/{volume_id}/metadata
GET /volumes/{volume_id}/metadata/{key}
Show volume’s metadata or one specified metadata with a given key.
volume:create_volume_metadata
rule:admin_or_owner
POST /volumes/{volume_id}/metadata
Create volume metadata.
volume:update_volume_metadata
rule:admin_or_owner
PUT /volumes/{volume_id}/metadata
PUT /volumes/{volume_id}/metadata/{key}
Update volume’s metadata or one specified metadata with a given key.
volume:delete_volume_metadata
rule:admin_or_owner
DELETE /volumes/{volume_id}/metadata/{key}
Delete volume’s specified metadata with a given key.
volume_extension:volume_image_metadata
rule:admin_or_owner
GET /volumes/detail
GET /volumes/{volume_id}
POST /volumes/{volume_id}/action (os-set_image_metadata)
POST /volumes/{volume_id}/action (os-unset_image_metadata)
Volume’s image metadata related operation, create, delete, show and list.
volume:update_volume_admin_metadata
rule:admin_api
POST /volumes/{volume_id}/action (os-update_readonly_flag)
POST /volumes/{volume_id}/action (os-attach)
Update volume admin metadata. It’s used in attach and os-update_readonly_flag APIs
volume_extension:types_extra_specs:index
rule:admin_api
GET /types/{type_id}/extra_specs
List type extra specs.
volume_extension:types_extra_specs:create
rule:admin_api
POST /types/{type_id}/extra_specs
Create type extra specs.
volume_extension:types_extra_specs:show
rule:admin_api
GET /types/{type_id}/extra_specs/{extra_spec_key}
Show one specified type extra specs.
volume_extension:types_extra_specs:update
rule:admin_api
PUT /types/{type_id}/extra_specs/{extra_spec_key}
Update type extra specs.
volume_extension:types_extra_specs:delete
rule:admin_api
DELETE /types/{type_id}/extra_specs/{extra_spec_key}
Delete type extra specs.
volume:create
<empty string>
POST /volumes
Create volume.
volume:create_from_image
<empty string>
POST /volumes
Create volume from image.
volume:get
rule:admin_or_owner
GET /volumes/{volume_id}
Show volume.
volume:get_all
rule:admin_or_owner
GET /volumes
GET /volumes/detail
GET /volumes/summary
List volumes or get summary of volumes.
volume:update
rule:admin_or_owner
PUT /volumes
POST /volumes/{volume_id}/action (os-set_bootable)
Update volume or update a volume’s bootable status.
volume:delete
rule:admin_or_owner
DELETE /volumes/{volume_id}
Delete volume.
volume:force_delete
rule:admin_api
DELETE /volumes/{volume_id}
Force Delete a volume.
volume_extension:volume_host_attribute
rule:admin_api
GET /volumes/{volume_id}
GET /volumes/detail
List or show volume with host attribute.
volume_extension:volume_tenant_attribute
rule:admin_or_owner
GET /volumes/{volume_id}
GET /volumes/detail
List or show volume with tenant attribute.
volume_extension:volume_mig_status_attribute
rule:admin_api
GET /volumes/{volume_id}
GET /volumes/detail
List or show volume with migration status attribute.
volume_extension:volume_encryption_metadata
rule:admin_or_owner
GET /volumes/{volume_id}/encryption
GET /volumes/{volume_id}/encryption/{encryption_key}
Show volume’s encryption metadata.
volume:multiattach
rule:admin_or_owner
POST /volumes
Create multiattach capable volume.
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.